China cuffs hackers at US request to stave off sanctions

Cooperation – what a concept

Hacking suspects have been arrested in China by the nation's authorities at the behest of the US government for the first time, The Washington Postreports.

The unprecedented arrests took place in early September – shortly before Chinese President Xi Jinping's state visit to Washington – and appeared aimed at providing a show of good faith and forestalling the possibility of the US levying economic sanctions against China.

Washington has been complaining for years that state-sponsored hackers from China have been ransacking US hi-tech firms in order to steal secrets subsequently handed over to Chinese firms. Aerospace and military contractors have been the most high-profile examples of such skullduggery, but examples abound across many sectors, according to various US security intelligence firms.

China has always insisted it doesn't engage in the theft of commercial secrets, and claims it's more hacked against than hacking. Few independent infosec experts believe these denials, essentially because of the weight of circumstantial evidence of hacking by PLA (People's Liberation Army) units and other elements of the Chinese state.

US intelligence and law enforcement agencies reportedly put together a list of hackers the United States wanted arrested. China has seemingly responded to this and arrested an unspecified number of suspects. Details of how many were cuffed and what exactly they are accused of remain unclear.

Beijing watchers are waiting to see whether local prosecutions will follow. It's as yet unclear whether the arrests represent a shift in policy or a temporary move designed to placate the US and avoid the possibility of sanctions at the time when China's growth is imperiled by local stock market instability.

US President Barack Obama and Chinese President Xi Jinping agreed last month to a deal in which neither side will engage in commercial espionage against the other. The pact has no bearing on political or "national security" targets, which are still considered fair game, as previously reported.

The deal featured a Chinese commitment to provide "timely responses" to requests for assistance from the US related to hacking attacks. This commitment came after the arrests.

"I bet they nabbed 'contractors,' not PLA/MSS*," FireEye/Mandiant strategist Richard Bejtlich said in a series of tweets about the arrests. "If CN gov arrested [PLA Unit] 61398 members, CN gov will likely claim they were rogue actors. Fits w/anti-corruption campaign, but bad for PLA morale."

PLA Unit 61398 (APT1) is a Shanghai-based Chinese army unit blamed for mounting a sustained series of cyberattacks against US businesses, and outed by FireEye in 2013. Five 61398 officers were indicted on charges of theft of confidential intellectual property and planting malware in US corporations back in May 2014. Those arrested in China last month may have nothing to do with that earlier case.

If a case based on the recent arrests goes forward, it's more likely to be dealt with in China, according to Bejtlich.

"Next milestone would be extradition of CN hackers to US. I doubt that will happen. Dangerous precedent. Wouldn't want our guys sent to CN," he noted. ®